Overview
» IDS/IPS Signatures
Security Sites
Products
White Papers
Data Sheets
Case Studies
Support Login
Locate a Partner
iPolicy Networks Security Advisory
 

Microsoft Excel Crafted URL Unicode Buffer Overflow Vulnerability
Date Discovered: 06/19/2006
Severity: High
Applications Affected: Microsoft Excel 97
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel Viewer 2003
Synopsis
There exists a buffer overflow vulnerability in Microsoft Excel. The vulnerability is caused by improper sanitization of a Unicode string in Excel spreadsheet files. An attacker may exploit this vulnerability by enticing a user to open a crafted Excel file, which will enable the attacker to inject and execute arbitrary code within the security context of the target user.
Recommended Actions
Avoid opening XLS files from untrusted sources.
Threat Analysis
Microsoft Excel is a popular spreadsheet application that is usually released as a part of the Microsoft Office suite. The application can create complex spreadsheets with multiple workbooks, formulas, and various data sources. The proprietary file format used for storing Microsoft Excel documents is known as the Binary Interchange File Format (BIFF), with different versions of the application supporting different versions of the format.
There exists a vulnerability in Microsoft Excel relating to the processing of URL strings embedded in an Excel document. Specifically, when a user is enticed to click on a crafted link with a large URL string, the application will pass the URL to a system library, in order to display the link in a web browser. The system library, hlink.dll, attempts to copy the URL string to a stack-allocated buffer that is 0xE38 bytes in size, without checking the size of the source string. The copy operation is made using a wstrcpy-like function, which continues copying the URL string to the destination buffer until it finds a double NULL sequence. Thus, an attacker can easily overwrite the return address of the calling function, as well as the pointer to the Structured Exception Handler (SEH), which is located 0x1030 bytes away from start of the buffer.
References

http://www.securityfocus.com/bid/18500
http://seclists.org/lists/fulldisclosure/2006/Jun/0535.html
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3086
Write-up by: Nataraj Vasam
Security Sites
 
“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”
 
Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner
 

 
Home | About Us | Products | Technology | Solutions | Support | Partners | News & Events | Resources | Contact Us
Copyright ©2008 iPolicy Networks - Security Product Division of Tech Mahindra Limited | Privacy Policy | Site Map